Hello Vincent,What you propose is fine, but I foresee a big number of actions (let's say 100). Defining permission for each separately is quite a task. Also ericsson and at least Tail-f have actions defined in the data model.
For this reason I believe each action should have an access control property readOnly/mightChangeConfiguration/mightDisturbTraffic which tells you how dangerous the action is. After this it would be easy to say things like:
- Junior operator has readOnly accesss to the whole configuration- performance manager operator has full read rights, write rights to the top/performanceManagement subtree, but no disturbTraffic rights
- superuser has full rights to everything.I chose the readOnly/mightChangeConfiguration/mightDisturbTraffic options as these are the things that are really interesting for the operator although one might argue about disturbTaffic. On the other hand I feel the operator does not care if we update an attribute or create a new one. For him it is the same: you made a configuration change that potentially might have long term effects.
regards Balazs cridligv@loria.fr wrote:
Hi Balazs, Sorry for the long delay... We could add a new attribute value lixe 'x' for the operations: <permission id="1" op="x"> <kill/> </permission> OR <permission id="1" op="kill"/> where kill can be replaced with lock, unlock, and so on. I prefer the second version. Regards, Vincent Selon Balazs Lengyel <balazs.lengyel@ericsson.com>:Hello Vincent, I recently read your netconf RBAC draft. I have one question: How would you control actions other then the standard get/edit/copy/delete? I am interested both in standard "actions" like kill, lock, unlock and possible proprietary ones like ping, restart, etc. Balazs
-- Balazs Lengyel Ericsson Hungary Ltd. TSP System Manager ECN: 831 7320 Fax: +36 1 4377792 Tel: +36-1-437-7320 email: Balazs.Lengyel@ericsson.com -- to unsubscribe send a message to netconf-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/netconf/>